iSecureOS VS cicuta_virosa

There's an iOS anti-malware application called iSecureOS. It claims to be open source uses a slightly modified version of the GPLv2 that GitHub still detects as GPLv2.

I understand your stance of only using AppleScript for AirMessage, as it allows for an installation that anybody can do on any supported Mac. It is nobody's fault except for Apple's that accessing many of iMessage's features requires the SIP to be disabled. Below, I will be quoting u/mqudsi from their article "iMessage for Windows - A labor of love that will never see the light of day" (a long, but very interesting read that I highly recommend). It seemed at the start that the best bet would be to focus on the (extremely limited) surface area of iMessage functionality exposed to AppleScript, which could be used – with some awkwardness and lots of guesswork – to at least implement some basic message forwarding capabilities. [...] but it soon became apparent that Apple had gone out of their way to quite intentionally and very secretively4 break even what limited functionality the AppleScript approach offered. I was aware that old versions of OS X did not sufficiently lock down AppleScript in such a way that would prevent the use of OS X as an iMessage proxy, and could have resorted to that approach from the very start. But I wanted to do this and I wanted to do it right. I wanted an elegant approach that I could deploy on the same machine I still used from time to time, without being stuck on an ancient (and insecure) legacy version of OS X and then, from the footnotes 4 Apple has never officially recognized the breakage of the AppleScript API, which blocked many operations pertaining to accessing existing chats and creating new ones, in subsequent macOS releases. 9 Messages.app doesn’t even offer AppleScript integration for incoming SMS messages, meaning there was no AS-based approach to getting notifications on incoming text messages from users not on the iMessage network. In this project, u/mqudsi did a wonderful documentation of what it was like to try and figure out iMessage forwarding from macOS. Whether or not his final solution required the SIP to be disabled, I'm not sure, but it sounds like he felt a newer version of macOS with the SIP disabled was more secure than using a legacy version that had more options available through AppleScript. Now, I am not going to argue against your point that disabling the SIP can be dangerous, and it can give an app unwanted access to important system files. However, I will argue that there are power users and other users who know exactly what they're doing, and who have no problem with disabling SIP in the name of accessing more features. There are even users who don't know much about it, but who are willing to learn. That was my case eight years ago when I first jailbroke my iPod Touch because I wanted more features (at the time, theming app icons and having animated scroll pages). I have been running jailbroken iOS every day since then, and I have been doing it safely and efficiently. At first, I had no idea what I was doing, but thanks to countless YouTube tutorials, written articles, and the help of r/jailbreak, I am now much more familiar and well-versed in the practice. In terms of macOS, my Mac has had its SIP disabled for close to eight months now with no problem, and with access to many iMessage features for both BlueBubbles and MyMessage. Even the OP of this post replied Yeah, I'm cool with running my Mac with SIP disabled, and while I am assuming here, I feel like they are just like I was eight years ago when I decided I was okay with jailbreaking my iPod, even if I wasn't 100% sure about how to do it. Now, I am going to steal/paraphrase an explanation from isaac#9000 from Discord. A computer, like a knife, is a tool. A dull knife, while a safer tool, is not as effective as a sharp knife. However, a dull knife is safer. Companies can choose to ship out dull knives in the name of keeping their customers safe, but it would be much better if they actually taught people how to safely use a sharp knife instead of restricting them to only being able to use a dull knife. Then, those who want to use a sharp knife can do so, and those who want to use a dull knife can also do so. This is just about exactly how I feel about the topic. In not having AirMessage utilize any features that require the SIP disabled, you are keeping the users much more safe. However, some users want to use a sharper knife and they know how to do so or are willing to learn. I feel like making an option to use AirMessage with the SIP disabled would be a good route to take, and of course I would recommend hiding it behind a bunch of warning screens and confirmation boxes so that you can verify that whoever wants to access those features/versions is able to knowingly do so. At the end of the day, AirMessage is your app, and all of the official versions should follow your vision for the app. As I understand it, you have a mission to make it as streamlined and easy as possible to install and set up AirMessage, and I both respect and commend that. With the recent release of AirMessage Cloud to the public, I feel like you have greatly improved the ease and usability of the application for new and inexperienced users, and that is great work that I'm sure the entire AirMessage community appreciates. If this vision of AirMessage is what will prevent it from implementing SIP disabled versions or jailbroken iOS versions, I understand that. However, you do seem at least somewhat open to the idea, as in this comment you showed approval for doing some kind of combination of AirMessage/SMServer so that the servers and clients could communicate with each other. SMServer can only run on jailbroken iOS, which is, in essence, very similar to SIP disabled macOS. Even if AirMessage were to one day implement a no SIP version, I do not expect you or anybody else to heavily promote it to the masses. This is a modification that can be dangerous, as you've said, but with the proper guidance and warnings, I am sure that people will be okay. I only really follow one rule for my computers'/smart devices' safety, and it protects both the modified and non-modified ones - Don't install anything that you don't trust or know where it came from. By following this one simple rule, I am sure that 99.99% of people will be okay. And even now, there are new tools such as iSecureOS by u/GeoSn0w that keep jailbroken iOS devices safe from malware and other vulnerabilities. I am sure that a similar tool exists or will exist for Macs that have their SIP disabled. I'm sorry for the lengthy response, but it is a topic that is very important to me. Let me know what your thoughts are, and as always, thank you for all your work on this amazing app.

Also: Source Code: https://github.com/GeoSn0w/iSecureOS

I can almost guarantee so many exploits wouldn't be sold to companies like Cellebrite or to foreign governments, or even given out for free, if Apple paid market rate for them. They won't though, because they prefer to reflect and obscure, pretending that the problem doesn't exist.

Modernpwner, the team that found the iOS 14.3 and below exploits for jailbreaks (unc0ver and Taurine) has hinted at a possible bypass that could lead to a jailbreak for 14.5 (PAC bypass section of https://github.com/ModernPwner/cicuta_virosa). You could theoretically update to either one of these versions right now since they’re being signed, but given the time it takes for jailbreaks to become a thing, these versions might not be signed by Apple if or when a full jailbreak is released for them. You’d have to play the waiting game for a good while if you update now, and none of these exploits are guaranteed to be stable enough for a full fledged jailbreak anyways. That’s why blob saving is so powerful!

With the release of iOS/iPadOS 14.5 and the public disclosure of security content for 14.5 (https://support.apple.com/en-us/HT212317), as well as the potential for another exploit for 14.5 from Modernpwner (PAC bypass section of https://github.com/ModernPwner/cicuta_virosa), updating looks enticing right now. However, you don’t have to lose your jailbreak and play the waiting game.

I don't see how cicuta_virosa is a good example. It doesn't seem to prohibit redistribution, instead using the GPLv3 license with no modifications. The only reason there's an exception for Odyssey as far as I can tell is that Odyssey is licnsed under a BSD license, so it could not include GPLv3 code without changing the license to GPL. But the exception clearly isn't part of the license; it's a invitation for those who don't like the license to DM for an entirely different license.

I don't know. The cicuta_virosa github page says that they may release a 14.5 exploit but I wouldn't get your hopes up.

I read about a 14.5 exploit here

Don’t lose hope here they said they found a new technique to bypass 14.5 and may publish 14.5 exploit after Apple patch.

It actually says this on the GitHub here